Trying to implement SSO in a SaaS application that has a Web Interface as well as a desktop application - both of which are backed by common Rest APIs. Authorization Code flow for Web interface is straightforward, the issue I’m having is desktop app (i.e. Native client).
OAuth2/OIDC recommended flow is ROPC, however, its considered as the absolute last resort. On top of that it doesn’t support MFA, which is a big issue since MFA is used quite often. Another issue being different sign-in flows between Web UI and Desktop app, which could confuse users.
That’s why I’ve been looking into Authorization code flow for desktop app as well. Since Google doesn’t support embedded browser views, that leaves me with opening OS default browser for sign-in. Typically, how it’s done is that my app will temporarily start listening on a local port and that localhost/port url will be specified as redirect/callback uri after authentication. As soon authentication is done, my desktop app (listening on localhost) will get an http request and my app will be able to figure out whether the login was successful or not, as well as the authorization code. That can then be sent over the Rest API to the backend to complete the login sequence.
Apparently, okta does not support redirecting to localhost, so seems like i’ve run into a dead end. Can I use a local IP instead e.g. 127.0.0.1 or even that isn’t allowed?
Anyone from okta who can direct me to the proper solution?